New Antiexecutable: NoVirusThanks EXE Radar Pro

Yes, but "Install Mode" won't stop ERP from alerting about vulnerable processes, the developer never did fix this. Plus ERP can't make specific parent-child process rules, so I concluded that it's not worth it, because when you install tools you will always click on allow. I agree that browsers and other tools that are often targeted by exploits have no business running rundll32.exe, luckily SpyShelter also watches for child process execution, but it's not user-friendly.

 

Correct.
But I meant, if a new hash of a file has Not been added to the vulnerable list and [X] Allow processes signed only by Trusted Vendors is enabled = there is no "Vulnerable Application detected"-alert anymore after for example c:\windows\system32\PresentationHost.exe (Trusted Vendor: Microsoft) was updated.
PresentationsHost.exe (added to Trusted Vendor) = added to "Vulnerable List" = Alert every time it executes (=expected)
PresentationsHost.exe (added to Trusted Vendor) = checksum was changed but new checksum not yet added to the Vulnerable List = No Alert (!)

If the file is unsigned (or not a trusted vendor) this can happen:

True, and after the user whitelisted the new file, the user has to add it to the vulnerable list too (to get an "Vulnerable Application detected"-alert every time it executes)
Whitelisted changed file + Not in "Vulnerable processes" = No Alert after future executions
Whitelisted changed file + added to "Vulnerable processes" = Alert every time it executes (this is what we want)

Look:
a) [X] Allow processes signed only by Trusted Vendors
b) Now copy a simple signed file from a Trusted Vendor to the Windows-directory, execute it = No Alert (as expected)
c) Now add it to vulnerable apps, and after executing = "Vulnerable application detected"-Alert (we want this alert)
d) But if you exchange the signed file with a newer/older version (=checksum has changed) = No "Vulnerable application detected"-Alert (!) (btw.: and no normal Alert because of (a))
It is now executed without an alert. That's it what I mean.
= File change (new checksum) = File is not vulnerable anymore (the user must add the new hash to "Vulnerable Processes" first)

My point is, if a Vulnerable process has been changed and the new hash has not been added to "Vulnerable Processes", the user simply gets no alert (if the file is from a Trusted Vendor)
One more example: .NET (Trusted Vendor: Microsoft Corporation)
If i add all files from .NET to "Vulnerable Processes" = i get "Vulnerable Application"-Alerts every time it executes (as expected)
But if i update .NET and forget to add new hashes = No Alert (because it's a Trusted Vendor and the new hash was not yet added to "Vulnerable Processes")
"Vulnerable Processes"-List = Hash-dependent

This is how it works on your system too

Oh, then it's understandable to turn the monitoring off. I wasn't really aware of it that vulnerable processes are not ignored in Install Mode
Maybe because i rarely used it.

Correct

 

Should I keep blocking this or should I try to put a wildcard so it doesn't keep alerting me? It seems to be analytics for auslogics...it happens once I close disk defrag
/C "start "title" "C:\Users\Owner\AppData\Local\Temp\_Del_DiskDefrag\GASender.exe" C:\Users\Owner\AppData\Local\Temp\_Del_DiskDefrag\GA.json"

 

I am still trying to get my head around this post and some following posts regarding vulnerable processes.

I get it that normally with newly updated processes with new hashes one gets the yellow 'process has changed' alert ... but it seems vulnerable processes work differently.

But since upgrading from 1511 to 1607, I again see in Advanced>Vulnerable processes, the file hash of nearly every vulnerable process (I haven't checked every one) in the vulnerable list has changed.
e.g. cmd.exe file hash is still listed as 41E25E514D90E9C8BC570484DBAFF62B (from 1511) and if I execute cmd.exe there is no alert.
Only if I add it again with the now current hash F4F684066175B77E0C3A000549D2922C (in 1607) do I get an alert if I execute cmd.exe.

I have 'purge old hashes' ticked.

I can only draw the conclusion that these file hashes do change with every build and that the vulnerable processes have to be re-added / replaced. That is why my (brown) 'Vulnerable Application Detected' alerts went quiet after upgrading from 8.1 to 10.

Unless I am seriously misunderstanding something.

@mood FWIW I have 'Allow processes signed only by Trusted Vendors' but my vendor list is empty ... I don't recall ever removing the default vendors ...

 

The user should not have to manually add hashes when a process changes due to an update.

It's stupid... it will cause more mistakes and problems than anything else.

I think what he is saying is that it is settings dependent.

On my system, I do not enable Trusted Vendors or Allow protected system processes.

Those settings are what appears to be the problem. Since I have never used those settings I have never had to manually add\update a hash a single time.

If disabling those settings doesn't fix the issue, then it is a bug.

That being said, I don't think NVT ERP will receive any updates any time soon. The developer is making money elsewhere, so I think NVT ERP is basically not a priority. Perhaps it might be end-of-life if the developer moves on to other things to earn a living.

 

there might be a difference in behavior between the paid version and the free beta that some people (like me) are using.
just an idea...

 

In this case it is settings dependent; paid and free functions the same with NVT ERP

 

OK I will change my settings to test this.

If I untick 'Allow Microsoft Windows system protected processes' I immediately get a bunch of 'unknown application detected' orange alerts for MS Windows processes e.g.
dllhost.exe
searchprotocolhost.exe
searchfilterhost.exe
backgroundtaskhost.exe
conhost.exe
audiodg.exe
Do I just whitelist these and will it settle down quickly?

Also which setting specifically do you have for Signed Processes? I have the "Allow processes signed only by Trusted Vendors' ticked but my list of Trusted Vendors is blank. Is that OK?

 

@hjlbx Will you still help me on this?

I am currently back to 1511 from 1607 (AU) as I seem to have a driver issue there (laptop won't resart or shutdown).

But I must say I am confused why some say hashes don't change from version to version or build to build as this has demonstrably been the case for me from 8.1 to 10 1511 to 10 1607.

Regardless of settings, my vulnerable process, and whitelist parent process hashes e.g. cleanmgr.exe, have changed in each case, and with my settings - allow Windows system protected processes, and allow Trusted Vendors (blank) - no longer give alerts, until they are re-added.

Maybe unticking these settings does resolve the alert issue, but then does this not alert and require whitelisting of every process (which is also subject to error i.e. what is legit), and then why have the hash checking?

It is increasingly looking tke NVT stuff is indeed EOL. Pity.

Also, to assist those who follow your vulnerable process list postings in the AppGuard thread (thanks for this!), I believe below are new additions from the previous list you posted?

*qprocess.exe
*query.exe
*csvde.exe
*nbtstat.exe
*nltest.exe

I think *netsh.exe was on the previous list, but not anymore?

A lot of questions, I know.

 

@paulderdash If you just finished a clean install, updated the OS, installed your favorite softs, the best thing to do with ERP is to whitelist Program Files Folders (both) and C:\Windows; then shift to Lockdown mode.
It is how i set up ERP when i used it. Everything not whitelisted is blocked, only VPs will trigger prompts.

 

Thanks @guest. Given my problem with AU upgrade, I may well try clean install, which I know you advocate!

Then I will give that a shot.

But the vulnerable processes listed by @hjlbx are in C:\Windows so won't they be whitelisted also i.e not trigger an alert (unless they are added to Advanced>Vulnerable Processes).

Or am I misunderstanding something (again)!

 

in ERP , Vulnerable Processes will always trigger an alert even if whitelisted. Only way to remove the alert is to remove the process from the list

 

You have to not use these settings:

• Allow Protected System Processes
• Allow Trusted Vendors

There is no way you should be having to add hashes.

You have to whitelist all processes that are needed - manually when the alert appears; this is the most secure way to use NVT ERP.

• Clean install OS
• Immediately install NVT ERP and configure it properly
• It is best to do it step-wise, otherwise disabling all the settings at once will cause system boot slowdown with a lot of System32 processes being blocked - but after you whitelist them, it no longer occurs
  
• Install desired softs
• Answer each alert

Those processes you have listed are from the Japanese CERT. They are optional.

netsh.exe was on list, but it got removed - and I don't know why. You can add it if you wish.

 

As per post #5332, may I ask then, for Signed Processes setting - which setting should I check:
'Do not check if a process is signed (save bandwidth)' or
'Do not allow signed processes'
or is 'Allow processes only by Trusted Vendors' but with a blank list of vendors OK?

Edit: Btw you may have seen Florian has updated his list.

 

@Peter2150 So do you also have 'Allow all software from Program Files folder' unchecked?

 

Thanks for pointing me to list. I was aware of it, but just didn't look at it yet. On TO DO list. Be a few weeks - perhaps sooner. I'm setting up three separate systems at the moment.

 

@hjlbx New on this latest list are:

taskkill.exe
quser.exe
attrib.exe
xcacls.exe
takeown.exe
auditpool.exe
netsh.exe is back ...

Not on the list, but on my current list, are:

mrsa.exe
wusa.exe
schtasks.exe
regedit.exe
reged32.exe

but these were probably sourced from elsewhere. I think only mrsa.exe may have been on Florian's original list; probably it has been removed by oversight, rather than intent.

 

Hey everyone,

Dumb question: I'm new to ERP. Is Lockdown mode the preferable method or is it just for that extra security and Alert mode is just fine for normal usage?


Thanks.

 

Neat, thanks!

I'm sorry to be a nag, but I've just another question: what should I select under Signed Processes?

Do not allow signed processes
Allow all processes with a valid certificate
Allow processes from the Trusted Vendor list

 

This depends on preference. I run in Lockdown-mode, and when I want to install software I switch to alert-mode.

I have turned this feature off, since malware can sometimes also be signed.